protecting network assets
DESCRIPTION
Protecting Network Assets. CAMP: Bridging Security and Identity Management Christopher Misra 14 February 2008 Tempe, AZ. Agenda- DRAFT, needs to be updates. Automated Security and Policy Enforcement History New Challenges Background/Roles of: NAC IdM Network Segmentation - PowerPoint PPT PresentationTRANSCRIPT
Office of Information Technologies
CAMP: Bridging Security and Identity Management
Christopher Misra14 February 2008
Tempe, AZ
Protecting Network Assets
Agenda- DRAFT, needs to be updates
Automated Security and Policy Enforcement• History• New Challenges
Background/Roles of:• NAC• IdM• Network Segmentation
What might we do?• Firewall traversal
Grid case Standards
Session Abstract
Can IAM be helpful in managing network intrusions and access policies?
Can IAM correctly correlate identity to an endpoint device by combining network registration and personal identification?
Can coupling network capabilities and IAM replace the use of IP addresses as the criterion for access with identity, roles, and related attributes?
This session will explore these questions and how one can identify the person behind the device or address.
Managing Network Intrusions?
Initial NAC deployments were not driven by architectural decisions• Large numbers of unmanaged systems connected to
campus network• Primarily in residence halls
• Battle scars from Code Red, Nimda, and Blaster
However, we did leverage campus IAM successfully• And we effectively created a device registry
• Even if we didn’t integrate this data with our IAM
How we got here…or, before NAC was cool… Why “Automate Security and Policy
Enforcement”?From the SALSA-Netauth document Strategies for Automating Network Policy Enforcement:
“(A) major security challenge facing university residential networks and other large-scale end-user networks is the thousands of privately owned and unmanaged computers directly connected to an institution's relatively open, high-speed Internet connections. Security policy enforcement is often lax due to a lack of central control over end-user computers and an inability to tie the actions of these computers to particular individuals. A few times a year there are surge events, including the predictable start of each semester and the unpredictable and increasingly frequent reactions to large-scale security incidents, that require massive support intervention.
Even though it wasn’t cool, we implemented NAC
Detection
Take Enforcement Action and return to Policy Decision
Remediation
Notification
Isolation
PolicyEnforcement
Applied
Network Transitions
to New State
Network Transitions to a fully compliant or
non-compliant final state .
Policy Action :None Required
Policy Action : Move to new state
Policy Action :EnforcementAction Required
External Event Occurs – Policy Decision Check
Required
Workflow Diagram
Policy Decision
Lookup to Policy
Repository
Detection
And here we are…I guess NAC is cool now..
Network Access Control: Vendor Definitions
“Using the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources” – Cisco
“…combines user identity and device security state information with network location information, to create a unique access control policy…“ - Juniper
Why did we implement NAC systems?
Only automated approaches can scale and respond rapidly to large-scale incidents.
Preventative policy enforcement reduces risk:• overall number of security vulnerabilities• the success of any particular attack technique.
Automated remediation systems have a positive impact on a large number of hosts with a relatively small time investment from computing staff.
Network Access Control
Higher education created many early systems of what is now termed NAC (Network Access Control)• Southwestern Netreg, CMU Netreg,
Packetfence, others
Currently there are many commercial offerings in the space• 30+ vendors at last count• Major deployments by Cisco, Microsoft, Juniper
and others
Network Access Control in Higher Ed
Characteristics of higher ed networks lead to unique challenges• Large numbers of unmanaged systems
connected to campus network• Residence halls• Heterogeneous computing base• Frequently no ubiquitous administration
structure• Complex network Use Cases
Network Access Control in Higher Ed
Associating a device with an identity• Is the user a member of the campus community?• Leveraging campus IdM
Determining a host’s posture• Is the host compliant with local policy?• Measuring device state against campus IT security
standards
Role-based network assignment• What network perimeter is appropriate for this host?• vLAN, subnet, firewalls, ids
NAC Basics
Registration options include:• Open DHCP (“free love”)• DHCP with MAC registration (“netreg”)• Web middlebox (“portal”)• 802.1x (“supplicant”)
Enforcement types include:• vLAN isolation/DHCP scope isolation• Network-based firewall/Host-based filters• Class of Service (rate limit)
NAC: Posture assessment
Original implementations used active network-based scanning• Windows XP SP2 rained on this parade• But security staff didn’t compliance
Many sites migrated to client-based posture assessment• Running code on endpoints to validate
compliance• Could be implemented in the 802.1x supplicant
NAC is Complicated
Administrative Domain (AD)
Access Requestor (AR)
Network Node Policy Enforcement Point (PEP)
Network Element
Network Detection Point (NDP )
Network Element
Policy Decision Point (PDP)
Policy Server
Identity / Integrity
Request
Request
AAA/Policy Query
AAA/PolicyQueryTerminology
PDP – Policy Decision Point (RFC 2753 )PEP – Policy Enforcement Point (RFC 2753 )AR – Access Requestor (TCG TNC & RFC 2906 )AD – Administrative Domain (RFC 2753 )
Data Repository (DR)
Policy,Authentication ,
Authorization DB
Identity / Integrity
Decision
Decision
Federations have a role here also
Enable members of one institution to authenticate to the wireless network at another institution using their home credentials • E,g, eduroam which stands for Education Roaming, is a
RADIUS-based infrastructure that uses 802.1X security technology to allow for inter-institutional roaming.
• “Being part of eduroam allows users visiting another institution connected to eduroam to log on to the WLAN using the same credentials(username and password) the user would use if he were at his home institution. “
Effectively need to achieve identity discovery Also applicable to Grid environments
Correlating identity to device to privilege
We’ve done a pretty effective job so far• But the drivers were not traditional IAM drivers
Can we assign a meaningful Level of Assurance to this correlation?• Not so sure.
Are we willing to use this correlation to grant privileges?• Dynamic vLAN assignments?• Firewall traversal capabiltiies?
Correlating identity to device to privilege
We need to understand the relationship between user identity, device identity, and host integrity (posture)• This is complicated further in a federated environment
Does (user + device) == privilege?• What about users with multiple roles?
Is this a network, security, or idm problem?• D) All of the above
Perhaps we need to step back and take an architectural view of this…
Drivers for NAC standards
Community desire for interoperable components• Heterogeneous campus environment
Modular network architecture• Ability to use commercial and open source components
• Vendor-made switches• Open-source registration and remediation
NAC Standards space
Trusted Computing Group• Trusted Network Connect
Vendor ‘standards’• Cisco NAC• Microsoft NAP
IETF NEA• Chartered only for client-server protocols
